Written by Or Katz and Raviv Perets
A widespread phishing scam that offers free airline tickets has been spotted in the wild by Akamai's Enterprise Threat Protector (ETP) security research team. The campaign uses a number of social engineering techniques to trick people into providing their private information. When someone clicks on the link in the phishing email, they are taken to a dedicated website that tells them they have "won" two free airline tickets.
To claim the tickets, people follow two steps:
- Share a post on Facebook that helps the phishing scam go viral.
- Complete an online survey that requires users to enter their personal details including email address, phone number, home address, and age.
Campaigns like this are used by scammers to harvest email addresses and other personal details. That data can then be used for subsequent spam campaigns or sold to other malicious actors.
In the initial step of the scam, the spam email containing the link to the phishing domain is sent. Spammers will typically send vast quantities of emails from networks of compromised devices, either directly "owned" or "rented" from other criminals. This is a numbers game, so spammers only need a small number of people to open the email and click on the included link.
Once the link is clicked, the user is taken to a specially-crafted website that gives the user the genuine feeling that they have won two free airline tickets.
Figure 1 - Initial phishing domain leads the user to share a Facebook post and directs them to a survey website.
According to our investigative research, at least 12 identical dedicated domains were used to execute the initial step in the phishing campaign (see Figure 1). A range of social engineering techniques was used as part of the campaign. These included:
- Using primary domain names that contained words such as the name of the airline and other contextual words such as "offer", "iLove", and "ticket".
- All instances of the phishing website look the same and even contain the same "We only have 332 tickets remaining, so hurry up!" message, making the site look realistic and creating a sense of urgency around claiming the prize, encouraging people to supply requested personal details.
- A fake Facebook plugin was added at the bottom of the phishing website showing a number of fictitious "likes" and user comments thanking the airline.
Figure 2 - Fake Facebook plugin on the phishing website.
Figure 3 - Online survey website.
During our investigation, a sample of service provider DNS traffic was inspected for a period of seven days, before and after the first indications of the campaign were detected by Akamai's new Enterprise Threat Protector.
Figure 4 - DNS users' traffic to phishing domains.
The Campaign Over Time graph (Figure 4) shows the number of users that accessed the phishing domains per day. Prior to July 6, no requests were made to these domains, and when looking into historical registration information on these domains, we see that they were registered during the first week of July 2017.
Newly registered domains and significant, rapid increases in traffic volume are factors observed in many other past phishing campaigns. These specially-tailored, dedicated domains are activated for the sole purpose of the phishing campaign.
Phishing campaigns that target the harvesting of non-sensitive personal information such as email addresses are common and have been spotted numerous times in the past. These types of campaigns tend to pose limited risks to users, especially when compared to phishing campaigns that result in the targeted users downloading malware or having their login credentials stolen.
Nonetheless, despite the smaller risk, campaigns such as the one described above should not be overlooked or dismissed. Malicious actors that steal personal information, including email addresses, can use that information to execute email spam campaigns with the intention of infecting users with ransomware or other types of malware. In addition, once cybercriminals have some basic information about people, it can be used to launch subsequent attacks to gather additional information about them. In this way, the malicious actors continue to gather valuable information that they can either use or sell.
People should always expect that any offer that sounds "too good to be true" probably is. It is much more likely that a malicious actor is trying to get something from an individual by promising the stars, or two free tickets, than delivering on an offer.
When it comes to enterprise network protection, monitoring DNS traffic is a good place to start. DNS traffic can help you spot the first phase of this type of email phishing campaign, and by stopping it early, the attack can be eliminated easily.
This social engineering scam and others like it are just the first step down a slippery and dangerous slope. Being able to identify, block, and mitigate these threats is now a critical requirement for any enterprise security team.
To learn more about how you can get proactive threat protection, reach out to your Akamai account team or visit https://www.akamai.com/etp.